Pinned topicITIM: setting the erPassword attribute by means of a custom workflow

‏2006-12-18T12:26:05Z
|Tags:

Answered question
This question has been answered.

Unanswered question
This question has not been answered yet.

Hi guys,
I want to customize the ChangePassword workflow to syncronize the password of two different account, ie, when the ITIM password is changed , the same password will be set in the windows account. If it will be a normal attribute, next code will work...

[i]2006-12-18 12:23:57,934:queue:///WQ_itim_wf?persistence=2-6<ERROR:com.ibm.itim.workflow.engine.WorkflowEngine>Application ac
tivity exception. http://java.lang.ClassCastException java.lang.String
java.lang.ClassCastException: java.lang.String
at com.ibm.itim.common.AttributeValue.getBytes(AttributeValue.java:469)
at com.ibm.itim.dataservices.model.domain.Account.getPassword(Account.java:336)
at com.ibm.itim.workflowextensions.RemoteServicesAdapter.changePassword(RemoteServicesAdapter.java:427)
at com.ibm.itim.workflowextensions.AccountExtensions.changePassword(AccountExtensions.java:1020)
at java.lang.reflect.Method.invoke(Native Method)
at com.ibm.itim.workflow.engine.ApplicationActivityExecutor.execute(ApplicationActivityExecutor.java(Compiled Code))
at com.ibm.itim.workflow.engine.WorkflowEngine.executeActivity(WorkflowEngine.java:2526)
at com.ibm.itim.workflow.engine.WorkflowEngine.processMessage(WorkflowEngine.java:587)
at com.ibm.itim.workflow.engine.ExecutionContext.processMessage(ExecutionContext.java:975)
at com.ibm.itim.workflow.engine.MessageRouter.onMessage(MessageRouter.java:75)
at com.ibm.itim.messaging.MessageManagerListener.processTransactedQueue(MessageManagerListener.java(Compiled Code))
at com.ibm.itim.messaging.MessageManagerListener.run(MessageManagerListener.java:306)
[/i]

ITIM will do that for you if you check "Enable password synchronization", or if the password change comes from a password interceptor.

If you really have to do it yourself in a workflow then in 4.6 (not 4.5) there are un-documented (and therefore unsupported) calls to decrypt and re-encrypt the password. Tried them in a lab & they were fine - wasn't keen on deploying them myself - they may also have been depreciated;
entity.get().getAndDecryptPassword();
entity.get().setAndEncryptPassword(String);

Re: ITIM: setting the erPassword attribute by means of a custom workflow

ITIM will do that for you if you check "Enable password synchronization", or if the password change comes from a password interceptor.

If you really have to do it yourself in a workflow then in 4.6 (not 4.5) there are un-documented (and therefore unsupported) calls to decrypt and re-encrypt the password. Tried them in a lab & they were fine - wasn't keen on deploying them myself - they may also have been depreciated;
entity.get().getAndDecryptPassword();
entity.get().setAndEncryptPassword(String);

Re: ITIM: setting the erPassword attribute by means of a custom workflow

ITIM will do that for you if you check "Enable password synchronization", or if the password change comes from a password interceptor.

If you really have to do it yourself in a workflow then in 4.6 (not 4.5) there are un-documented (and therefore unsupported) calls to decrypt and re-encrypt the password. Tried them in a lab & they were fine - wasn't keen on deploying them myself - they may also have been depreciated;
entity.get().getAndDecryptPassword();
entity.get().setAndEncryptPassword(String);

Poorly documented maybe, but I don't believe they are unsupported. (But I don't speak for ITIM support, so I might be wrong.)

There are a few more details to using these methods. First, you must add the property "javascript.password.access.enabled=true" to your fesiextensions.properties file.

Second, there are similar methods available on person objects, but the names are getAndDecryptSyncPassword and setAndEncryptSyncPassword. These only work if you have password synchronization enabled.

Finally, the getAndDecryptPassword method only works on account objects that are passed as inputs to your workflow. It will not work on account you read from the directory using something such as AccountSearch.searchByFilter(). The reason is that the account objects passed as inputs to the workflow have encrypted passwords, so that the passwords can be decrypted and sent to an adapter. But the account objects that are stored in the directory have hashed passwords. There is no way to decrypt those.

Re: ITIM: setting the erPassword attribute by means of a custom workflow

Poorly documented maybe, but I don't believe they are unsupported. (But I don't speak for ITIM support, so I might be wrong.)

There are a few more details to using these methods. First, you must add the property "javascript.password.access.enabled=true" to your fesiextensions.properties file.

Second, there are similar methods available on person objects, but the names are getAndDecryptSyncPassword and setAndEncryptSyncPassword. These only work if you have password synchronization enabled.

Finally, the getAndDecryptPassword method only works on account objects that are passed as inputs to your workflow. It will not work on account you read from the directory using something such as AccountSearch.searchByFilter(). The reason is that the account objects passed as inputs to the workflow have encrypted passwords, so that the passwords can be decrypted and sent to an adapter. But the account objects that are stored in the directory have hashed passwords. There is no way to decrypt those.